Ransomware attacks on companies are one of the fastest-growing, and most destructive cybersecurity risks today. According to Wired, in 2019, the cost of direct damages from such incidents was in excess of $12 billion.1 Companies hit by ransomware are often faced with two stark choices. They can either pay up and hope the cybercriminals send the decryption key, or else rebuff them and fix the problem themselves, an option that could end up costing more than the ransom. On the other side of the coin, cybercriminals who receive the payment, usually in bitcoins, or some other cryptocurrency, then need to launder that money so that it can’t be traced. This may be through, for example, crypto-exchanges, both regulated and unregulated, gambling, and dark web markets.
In the past, even if the ransom money could be tracked, there was an issue in getting it seen as recoverable property under law. Traditionally, property was defined either as a ‘thing in possession’ or a ‘thing in action.’ Cryptocurrencies, because they existed in cyberspace, were neither tangible nor capable of being physically possessed. Then, in January 2020, a UK court made history by clearly declaring that a cryptocurrency should be considered property and therefore could be the subject of a proprietary injunction. This landmark case, known as AA v. Persons Unknown [2019] EWHC 2556 (Comm), made for a good start in tackling how hackers launder their ill-gotten gains. However, as we shall see, more still has to be done regarding the issues surrounding the transnational nature of cryptocurrencies and the problems of jurisdiction when it comes to getting information from currency exchanges.2
Background
Last October, a Canadian insurance company fell victim to the Bitpaymer Ransomware. The note left on the infected computers read:
‘Hello [insured customer] your network was hacked and encrypted. No free decryption software is available on the web. Email us at […] to get the ransom amount. Keep our contact safe. Disclosure can lead to impossibility of decryption. Please use your company name as the email subject.’3
Luckily, the company had digital insurance in place with a British company, and they brought in a specialist team to negotiate with the hackers. Eventually, the negotiators managed to bring the ransom demand down from $1.2 million to $950,000 (approximately 109.25 bitcoins). Once the amount had been paid, the attacker handed over the decryption key, and the victim was able to decrypt its 20 servers and 1,000 desktop computers over the next ten days.4 However, what the attackers did not know was that the British insurance company had also hired the blockchain analytics company, Chainalysis, Inc., to track the payment. They found that, while some of the ransom had been transferred into ‘fiat’ currency,5 the larger part of it – around $860,000 (96 bitcoins) had been sent to a bitcoin wallet at Bitfinex, a cryptocurrency exchange operated by iFINEX and BFXWW.
The Court Case
Subsequent to Chainalysis’ investigations, the British insurers filed three applications to the High Court in London:
- For the hearing to be in private.
- For a proprietary interim injunction to freeze the wallet so that the bitcoins could not be moved elsewhere.
- For a Norwich Pharmacal and/or a Bankers Trust disclosure order to compel Bitfinex to reveal the identity of the owners of the wallet.6
Justice Simon Bryan, overseeing the case, agreed to the private hearing, noting that:
‘If the hearing were to be held in public there is a strong likelihood that the object of the application would be defeated. First of all, there would be the risk, if not the likelihood, of the tipping off of persons unknown to enable them to dissipate the bitcoins held at the second defendant’s account with Bitfinex…’7
The hearing took place on January 13, with the findings being made public on January 17. In his deliberations, the judge took note of a report published in November 2019 by the UK Jurisdiction Taskforce. This recommended that in the UK, such cryptocurrencies should be considered property, therefore making the freezing and reclamation of them more straightforward.8 After careful deliberation, and a look at two similar previous cases, Justice Bryan decided that, because it was definable, identifiable by third parties and capable of some degree of permanence, cryptocurrency could be viewed as property in law.9 The proprietary interim injunction was granted.
The granting of a Norwich Pharmacal and/or a Bankers Trust disclosure order to establish the identity of the wallet holder at Bitfinex – was more complex. This part of the application, along with a Freezing Injunction, was adjourned until a later date so that a solution could be found to the problem of the court’s jurisdiction in a foreign nation. Justice Bryan also made additional consequential orders to support the proprietary injunction, all relating to discovering the identities of all of the defendants in the case. While the judge indicated that Bitfinex was willing to co-operate with such a court order, it is not known yet whether that is the case, or when the hearing will be re-adjourned.
Conclusion
So, even though this case has added some clarity around the status of cryptocurrency in law, further work still needs to be done to facilitate the ability to serve any claim outside of the court’s jurisdiction. In addition, more clarity is required on the liability of cryptocurrency exchanges in any claims made in the future. That is, have they acted as innocent parties in the receiving and holding of illegally-obtained funds, or are they complicit in the crime through lack of due diligence? It seems that the issue lies in being able to prove responsibility in these matters before any court order against such parties can be served.
Despite the mini-victory won on behalf of ransomware victims by this hearing, we should be aware that not all ransomware incidents will end up in court. This time the insurers were lucky that the stolen funds could be tracked down. Criminals often store the ransom elsewhere and only use these exchanges when they want to cash it out into fiat currencies. It is rare for funds to be held in legitimate exchanges for any length of time, and it appears that the attacker made a mistake in the AA case, allowing the insurance company to get lucky.10 It is likely that cybercriminals will learn from what happened in AA and will be less likely to store ransom funds for any length of time in an exchange. And they are less likely to turn to one that trades in fiat currencies where anti-money laundering legislation applies. Instead, in future, they will probably use unregulated exchanges to sell the bitcoins for other more anonymous (private coin) cryptocurrencies such as Monero. This will ensure that no-one will be able to trace or take back those monies. Of course, it may also be that the criminals will bypass bitcoin altogether and only use private coin currencies.
Of course, it is better that companies have good defenses against ransomware attacks in the first place. These include:
- Back up your most crucial files regularly, and in a separate database to your main network.
- Educate staff on cybersecurity issues such as phishing, BECs, and having strong passwords. In other words, invest in cybersecurity awareness training like Saya University!
- Install good anti-malware software and keep it, and any other software patched and updated to the latest version. But please don’t just rely on this itself.
- Keep Windows computers’ firewalls turned on and configured correctly. Use additional firewalls if possible.
- Disable macros and ActiveX in Microsoft Office programs.
- Think of disabling other security threats such as file sharing, remote services, autoplay, Windows Script Host, and Windows PowerShell.
- Configure anti-spam filters in your email client to block any emails with suspicious attachments (e.g., .exe, .vbs, or .scr).
- Turn off any wireless connections not in use, such as Bluetooth. Review default settings and open ports.
- If any suspicious activity is spotted on the network, make sure that the internet is disconnected at once.
- Moty Cristal, ‘In 2020, Ransomware Attacks Will Take Aim at Public Infrastructure,’ Wired, 01/02/2020, accessed at https://www.wired.co.uk/article/ransomware-2020
- ‘Cryptocurrencies – Onwards to the Next Frontier?’, ReedSmith, 04/21/2020, accessed at https://www.reedsmith.com/en/perspectives/2020/04/cryptocurrencies-onwards-to-the-next-frontier
- David Bisson, ‘UK Court Approves Freezing Injunction on $1M Ransomware Payment,’ Security Boulevard, 01/31/2020, accessed at https://securityboulevard.com/2020/01/uk-high-court-approves-freezing-injunction-on-1m-ransomware-payment/
- Dan Swinhoe, ‘Insurer Pays Ransomware Demand, Freezes Account to Reclaim Later,’ CSO Online, 02/18/2020, accessed at https://www.csoonline.com/article/3527411/insurer-pays-ransomware-demand-freezes-account-to-reclaim-later.html
- ‘Fiat’ currency is any currency deemed as legal tender or government-backed, such as the dollar, or the British pound.
- ‘English High Court Rules in Cyber Insurance Case That Cryptoassets are Property,’ CMS Law Now, 02/04/2020, accessed at https://www.cms-lawnow.com/ealerts/2020/02/english-high-court-rules-in-cyber-insurance-case-that-cryptoassets-are-property
- From ‘AA v Persons Unknown & Ors, Re Bitcoin [2019],’ England and Wales High Court (Commercial Court) Decisions, accessed at http://www.bailii.org/ew/cases/EWHC/Comm/2019/3556.html
- ‘Legal Statement on Cryptoassets and Smart Contracts,’ UK Jurisdiction Taskforce, November 2019, accessed at https://35z8e83m1ih83drye280o9d1-wpengine.netdna-ssl.com/wp-content/uploads/2019/11/6.6056_JO_Cryptocurrencies_Statement_FINAL_WEB_111119-1.pdf
- ‘Cryptocurrencies – Onwards to the Next Frontier?’, ReedSmith, 04/21/2020, accessed at https://www.reedsmith.com/en/perspectives/2020/04/cryptocurrencies-onwards-to-the-next-frontier
- Dan Swinhoe, ‘Insurer Pays Ransomware Demand, Freezes Account to Reclaim Later,’ CSO Online, 02/18/2020, accessed at https://www.csoonline.com/article/3527411/insurer-pays-ransomware-demand-freezes-account-to-reclaim-later.html